Michael S. Tsirkin
2021-Nov-22 09:32 UTC
[PATCH] vsock/virtio: suppress used length validation
It turns out that vhost vsock violates the virtio spec
by supplying the out buffer length in the used length
(should just be the in length).
As a result, attempts to validate the used length fail with:
vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0
Since vsock driver does not use the length fox tx and
validates the length before use for rx, it is safe to
suppress the validation in virtio core for this driver.
Reported-by: Halil Pasic <pasic at linux.ibm.com>
Fixes: 939779f5152d ("virtio_ring: validate used buffer length")
Cc: "Jason Wang" <jasowang at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
---
net/vmw_vsock/virtio_transport.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 4f7c99dfd16c..3f82b2f1e6dd 100644
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -731,6 +731,7 @@ static unsigned int features[] = {
static struct virtio_driver virtio_vsock_driver = {
.feature_table = features,
.feature_table_size = ARRAY_SIZE(features),
+ .suppress_used_validation = true,
.driver.name = KBUILD_MODNAME,
.driver.owner = THIS_MODULE,
.id_table = id_table,
--
MST
Stefano Garzarella
2021-Nov-22 10:58 UTC
[PATCH] vsock/virtio: suppress used length validation
On Mon, Nov 22, 2021 at 04:32:01AM -0500, Michael S. Tsirkin wrote:>It turns out that vhost vsock violates the virtio spec >by supplying the out buffer length in the used length >(should just be the in length). >As a result, attempts to validate the used length fail with: >vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0 > >Since vsock driver does not use the length fox tx and >validates the length before use for rx, it is safe to >suppress the validation in virtio core for this driver. > >Reported-by: Halil Pasic <pasic at linux.ibm.com> >Fixes: 939779f5152d ("virtio_ring: validate used buffer length") >Cc: "Jason Wang" <jasowang at redhat.com> >Signed-off-by: Michael S. Tsirkin <mst at redhat.com> >--- > net/vmw_vsock/virtio_transport.c | 1 + > 1 file changed, 1 insertion(+)Thanks for this fix Reviewed-by: Stefano Garzarella <sgarzare at redhat.com> I think we should also fix vhost-vsock violation (in stable branches too). @Halil do you plan to send a fix? Otherwise I can do it ;-) Thanks, Stefano
Stefan Hajnoczi
2021-Nov-23 12:49 UTC
[PATCH] vsock/virtio: suppress used length validation
On Mon, Nov 22, 2021 at 04:32:01AM -0500, Michael S. Tsirkin wrote:> It turns out that vhost vsock violates the virtio spec > by supplying the out buffer length in the used length > (should just be the in length). > As a result, attempts to validate the used length fail with: > vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0 > > Since vsock driver does not use the length fox tx and > validates the length before use for rx, it is safe to > suppress the validation in virtio core for this driver. > > Reported-by: Halil Pasic <pasic at linux.ibm.com> > Fixes: 939779f5152d ("virtio_ring: validate used buffer length") > Cc: "Jason Wang" <jasowang at redhat.com> > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > net/vmw_vsock/virtio_transport.c | 1 + > 1 file changed, 1 insertion(+)Reviewed-by: Stefan Hajnoczi <stefanha at redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20211123/790bfe61/attachment.sig>